Bermuda’s cybersecurity law transformation is well underway

Published: 4 Jun 2024
Type: Insight

We are almost six month into 2024, and this year has already been transformative for IT and cyber security law and regulation in Bermuda.

And all of those developments continue a recent and robust trend of IT and cyber law reform in Bermuda.

On 22 January 2024, the Bermuda Monetary Authority’s ( BMA ) 2024 Business Plan confirmed its continuing focus on cyber risk supervision, its interest in considering how AI will impact financial services, and its commitment to its IT Strategy: Vision 2025.

As well, the BMA has made clear the real connection that exists between IT and cyber operational risk, outsourcing transactions, business continuity planning and data protection across the critical infrastructure that the BMA regulates.

Recently, the Computer Misuse Act 2024 was introduced by the Bermuda Government to provide enhanced legal weapons to fight cybercrime. Heavily based on UK law for those matters, the new Act replaces Bermuda’s previous 1996 statute of the same name and is intended to reflect international best practices to address both computing innovations and to greatly enhance penalties.

However, our newest Computer Misuse Act 2024 may not be the final word on computer misuse criminal law reform given the many law reform recommendations that are advanced in UK’s Criminal Law Reform Network’s 2020 report titled “Reforming The Computer Misuse Act 1990”. There may be more to come on that front.

On 31 May, Bermuda’s new Cybersecurity Act 2024 was passed by the House to address the need for the regulatory oversight across numerous essential services and critical infrastructure in Bermuda that the Government will more specifically identify in the weeks ahead.

In passing the Cybersecurity Act, the Government has decided to create a new regulatory regime under Ministerial oversight rather than simply directing existing regulators, like the Bermuda Health Council and the Regulatory Authority, to implement their own models of proportional risk based IT and cybersecurity regulation, which would likely follow the BMA’s very successful formulation, implementation and management of such regulations in recent years.

The end result, however, is expected to be very similar across all essential services and their regulators, even if different proportional risk based security standards, practices and governance requirements are stipulated under that Act. That Act’s implementation process, including the introduction of all such regulatory standards in the weeks to come, is expected to include diligent industry consultation and the responsive consideration by Government toward improving that Act’s relevance and effectiveness.

Finally, as many have been following, Bermuda’s Personal Information Protection Act 2016 ( PIPA ) will come into full force at the end of this year. Indeed, PIPA also includes laws that require IT and cybersecurity safeguards and addresses third party services such as outsourcing, the transfer of personal information overseas, and related data protection duties and responsibilities.

There is no question that the legal landscape of IT and cybersecurity in Bermuda is undergoing transformational change in all of its facets, from the fundamental standards of diligent corporate governance to all of the commercial IT service and outsourcing agreements that every critical infrastructure participant enters into with their affiliates and commercial service providers.

Share
More publications
Appleby-Website-Regulatory-Practice
10 Jul 2026

It’s healthy to sometimes disagree with regulators

At some point, almost every regulated business will disagree with its regulator.

Appleby-Website-Privacy-and-Data-Protection
8 Jul 2026

Bermuda Privacy Commissioner Signals Shift to Stronger PIPA Enforcement

The Office of the Privacy Commissioner (PrivCom) has issued its first annual report since Bermuda's Personal Information Protection Act 2016 (PIPA) came fully into force, with the reports content signaling a transition from education and implementation to a stronger focus on enforcement.

Bermuda-1024x576-1
1 Jul 2026

A Forest for the Future

A first since the blight, the airport cedar forest is growing tall and standing strong.

Appleby-Website-Regulatory-Practice
1 Jul 2026

Complied out of business

Firms are complying themselves out of business because compliance no longer matches the evolving sophistication of the Bermuda Monetary Authority (BMA).

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

The long game: how Bermuda became the world’s life reinsurance capital

Ask a life insurer in New York, London or Tokyo where the liabilities behind their book ultimately sit and there is an increasingly good chance the answer is a 21-square-mile island in the North Atlantic.

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

Record H1’26 Cat Bond Issuance Driven by Rising Sponsor Comfort and Diversified Risk

With H1 2026 officially breaking the record for the most catastrophe bond deals to come to market and settle in the first six months of the year, a key trend driving this momentum is how comfortable sponsors have become with the mechanics of the overall cat bond space. This familiarity has ultimately encouraged a wave of new sponsors to enter the market, according to Brad Adderley, Managing Partner at law firm Appleby.

Appleby-Website-Employment-and-Immigration
12 Jun 2026

The Cost of Getting Employee Departures Wrong: Five Common Pitfalls for Bermuda Employers

Employee departures are an inevitable part of running a business, but the way they are managed can have significant legal, financial and operational consequences. In Bermuda, employers who approach terminations without adequate preparation may expose themselves to unnecessary disputes, regulatory issues, and reputational harm. Whether an employee is being dismissed for performance reasons, made redundant or departing as part of a negotiated exit, by recognizing the following common mistakes and taking a proactive approach, organizations can manage departures more effectively and reduce risk.

Appleby-Website-Privacy-and-Data-Protection
8 Jun 2026

It’s time to bridge Pipa compliance gap

A review of 200 publicly available privacy notices of companies in Bermuda has revealed that just one in nine are fully compliant with the Personal Information Protection Act 2016.

Appleby-Website-Privacy-and-Data-Protection
26 May 2026

Transparency is a legal requirement under Pipa

Major companies across the European Union have faced substantial fines between 2019 and 2024, estimated at a total of €930 million (about $1.08 billion), not only for cyberattacks or data breaches, but also for issues such as noncompliant privacy notices. A common theme in many cases has been a lack of transparency.

Appleby-Website-Insurance-and-Reinsurance
8 May 2026

Outsourcing considerations for Bermuda insurers

As Bermuda insurers engage with third-party service providers to support their business functions, the Bermuda Monetary Authority has clarified its regulatory expectations surrounding outsourcing arrangements and operational resilience.